A Virtual Private Network (VPN) is an essential tool for protecting your online activity. Figuring out which VPN to use and finding security among the snake oil can be a challenge. This guide will show you what to look for when shopping for a VPN.
A Virtual Private Network (VPN) is no magic bullet for newsroom security or personal privacy, but it offers key security benefits to your workflow as a journalist, especially if any part of your day involves using Wi-Fi, visiting websites or sending emails.
Much like how every phone needs to have a unique phone number for the phone system to know where to send calls to, every device that is connected to the internet has a unique Internet Protocol (IP) address. An IP address in your home or office is likely leased by an Internet Service Provider (ISP), which bills you or your boss for internet access every month. An IP address has no built-in correlation to specific geography but, over time, IP addresses have been mapped to physical locations with varying degrees of accuracy. In many cases, the mapping correspondence is accurate to a city block. Anyone who can see your internet IP address can use that to find out where you are physically located, and this presents a variety of risks ranging from exposing yourself to the website you are investigating, exposing your location to people you’re sending emails to or having your ISP record and sell your internet traffic.
When you visit a website you’re investigating, that website will discover and usually record the IP address from your visit. Similarly, some email systems may record the origin IP address you send an email from and include it with the email’s header metadata, possibly exposing your IP address to the recipient. Additionally, loading images embedded in an email message can broadcast your IP address to wherever the images are being loaded from. There’s other examples of how your IP address can fall into the wrong hands, and perhaps others yet discovered. Rather than tweaking the settings of an infinite variety of applications and hoping to never make a mistake, using a VPN can protect your devices from revealing your IP address from the rest of the internet, which would only see a VPN’s IP address and not the one for your home, office or favorite coffee shop. In addition to protecting your location, a VPN can protect your online activities from being recorded by the ISP that provides the internet connection you are using or anyone sitting next to you or in a nearby boat.
There are as many VPN providers as there are stars in the sky, but not all VPNs are credible. Some VPNs might be “free” but otherwise may need to make money by recording any unencrypted internet activity and repackaging the data it can sell from that. “If you’re not paying for the product, you are the product” is a relevant axiom here. Even paid VPN services can potentially have other concerns though, both in their privacy policies and their technology.
On the policy side of things, you’ll want to look for no-logging or low-logging guarantees, which will legally restrict a VPN from keeping records of your internet activity for longer than a given period of time—the less time it’s kept around, the better. Some of these logs may be anonymized in some way to keep some data for tracking usage metrics without tracking the users behind that usage, and although anonymizing logs can be a challenge to do well, it’s still better than not attempting to anonymize the logs. Just as with any buying decision however, reputation is established by a service’s users, so see what VPN users you know say about the VPN providers you’re considering, especially if those users have concerns similar to yours.
Although popular in marketing copy, the country a VPN is located in might offer little or no protection. Aside from the vast complex of MLAT and other agreements between countries, law enforcement has a long history of international cooperation, whether they’re in the Five Eyes or any other set of eyes. “Based in Switzerland” will not save you. On the other end of the connection, the jurisdiction you’re using a VPN from may seem suspicious in countries where VPN usage is rare and or heavily restricted.
Ultimately, a VPN is not a system designed for anonymity. Even VPN providers which provide semi-anonymous payment options and collect little customer data still see the IP address you are using to connect to their service and thus, where you are in the world. In many cases, this can be enough to narrow down your identity significantly.
On the tech side of things, a well-intentioned VPN provider may read the same philosophy books you like, but ultimately may not be competent in implementing reliable, secure internet infrastructure. Depending on what sort of security concerns you have, some of these features might not be too important, but for the best security a plain VPN can offer, there’s some settings and features we require to be available when recommending a VPN.
Just as there are standards for determining the design of bike tire valves or the size of toilet paper, there are also standards around VPN systems. OpenVPN is one such standard, widely used and very secure when implemented correctly. OpenVPN’s protocol consists of a few moving parts, each with different possible configurations, and some configurations more secure than others. The authentication part of the protocol ensures that you are the VPN customer you say you are and not someone trying to impersonate you. The “handshake” at the beginning of your connection sets the encryption keys for your VPN session and finally, a data encryption cipher uses those keys for the actual encryption of data as it travels through a VPN connection.
For a VPN provider’s OpenVPN configuration options, these are ideal settings for secure VPN usage:
|SHA256||RSA 4096 or at least RSA 2048||AES-256-GCM or AES-256-CBC|
A reputable VPN provider will be transparent about which encryption algorithms and ciphers they use. Some may have different configurations that aren’t precisely the most secure option, but may have a precise explanation explaining why their configuration is fine for them and possibly just fine for your privacy concerns as well. Sometimes, VPN software will be limited in the type or strength of encryption it can use by the operating system you're using, and you’ll want to check the VPN provider’s technical documentation to see if that is the case or not.
Every now and then, a VPN provider will cook up a fancy-sounding custom protocol, bucking existing standards. Although those may be fun to explore, these may not have the same level of scrutiny, peer-review and history of being battle-tested with large amounts of people in real-world situations. Where possible, it’s generally best to use a VPN which at least uses a standard protocol vetted by security researchers.
Some devices, namely those running iOS such as the iPhone and iPad, do not have OpenVPN support built-in, but require third-party apps such as OpenVPN Connect to work. Some VPN providers may provide instructions on setting up their service using OpenVPN with iOS, but not all will. IPSec, a different VPN protocol standard that isn’t quite as ideal as OpenVPN, is still reasonably secure when implemented correctly and is supported in iOS devices. IPSec in particular has problems where less secure pre-shared keys are sometimes used as in some situations—Golden Frog’s VyprVPN, for example, uses pre-shared keys if you set up their service on your mobile device without downloading their app, but they use a more secure connection without the use of pre-shared keys if you use their mobile app rather than setting up the VPN connection from scratch.
Beyond the fundamental nuts and bolts of the VPN protocol, the way additional protocols your devices use to connect to the internet pose other challenges, since some of those protocols cannot be routed through most VPNs and have to be blocked or routed differently to keep your ISP or local network operator from seeing what you might be up to. Domain Name System (DNS) is another computer network protocol standard. DNS uses DNS servers to translate addresses like “freedom.press” into IP addresses a computer can route a connection to. Unfortunately, the DNS servers you use are usually automatically set by your ISP or even the Wi-Fi network you connect to and will leak the fact that your device requested the IP address for freedom.press, even if they can’t determine what exactly you’re reading on freedom.press. Make sure to look for a VPN provider that is set up to prevent DNS leaks. You can test your existing VPN connection for this easily with https://leaktest.online/dns/.
Yet another protocol to add to the ever-expanding alphabet soup of network standards is IPv6. IPv6 is another, newer computer network protocol which promises a larger pool of IP addresses than those being used in IPv4. Unfortunately, it can also lead to similar leaking, so it’s best to look for a VPN with software settings or instructions for blocking all IPv6 traffic. You can test your existing VPN connection for this easily with https://leaktest.online/ipv6/. If something you're doing online absolutely requires using IPv6, an alternative new VPN protocol called Wireguard can go a step further than OpenVPN and route IPv6 traffic securely without having to block IPv6 to prevent leaks. For the moment however, Wireguard has both limited VPN provider support and narrow device support, with only some versions of Android and zero versions of Windows supported.
In addition to DNS and IPv6 leaking issues, there’s also the matter of any network activity your devices broadcast before they get a chance to connect to your VPN provider. Some VPN providers will offer software to connect to their VPN, and feature the ability to block all network traffic until VPN connection is made, sometimes called an “always on” feature or “kill switch.” Look for this feature to block other potential leakage. The layering of a growing number of new protocols and systems may also not always be tested to play nicely with OpenVPN, and it’s important to keep an eye out for what new protocols emerge and how they interact with your VPN usage.
These five VPN providers have options which, according to their online documentation or support staff, meet the aforementioned recommended settings and features. Those options might not be available for every device or automatically activated right away, however. You may need to do some additional research to see if your specific device can support the aforementioned tech considerations and if there’s any additional steps you’ll need to take to switch features on, or make changes to them:
There may be others that match the criteria and include nicer features that make it a better choice for your situation, including options that may be faster or include a broader range of payment options or specialized protocols which circumvent national online censorship. If your newsroom has a unique situation and would like to learn more about how a VPN can fit into the equation, contact us about our training options.
Photo by Josephine Pedersen. CC-BY-SA 2.0